Certificate Monitoring Overview
Administrators must be able to keep track of certificates. Part of this is knowing which certificates need to be renewed and when. Cisco Unified Communications Manager contains automated systems that help administrators to know which certificates are approaching renewal and when. You can configure the system to do the following:
-
Monitor certificate statuses on an ongoing basis and email you when a certificate is approaching expiration.
-
Use the Online Certificate Status Protocol (OCSP) to check certificate status regularly and revoke certificates as they expire.
Certificate Revocation through Online Certificate Status Protocol
Unified Communications Manager provisions the OCSP for monitoring certificate revocation. System checks for the certificate status to confirm validity at scheduled intervals and every time there is, a certificate uploaded.
The Online Certificate Status Protocol (OCSP) helps administrators manage their system's certificate requirements. When OCSP is configured, it provides a simple, secure, and automated method to check certificate validity and revoke expired certificates in real-time.
For FIPS deployments with Common Criteria mode enabled, OCSP also helps your system comply with Common Criteria requirements.
Validation Checks
Unified Communications Manager checks the certificate status and confirms validity.
The certificates are validated as follows:
-
Unified Communications Manager uses the Delegated Trust Model (DTM) and checks the Root CA or Intermediate CA for the OCSP signing attribute. The Root CA or the Intermediate CA must sign the OCSP Certificate to check the status. If the delegated trust model fails, Unified Communications Manager falls back to the Trust Responder Model (TRP) and uses a designated OCSP response signing certificate from an OCSP server to validate certificates.
Note
OCSP Responder must be running to check the revocation status of the certificates.
-
Enable OCSP option in the Certificate Revocation window to provide the most secure means of checking certificate revocation in real-time. Choose from options to use the OCSP URI from a certificate or from the configured OCSP URI. For more information on manual OCSP configuration, see Configure Certificate Revocation via OCSP.
Note
In case of leaf certificates, TLS clients like syslog, FileBeat, SIP, ILS, LBM, and so on send OCSP requests to the OCSP responder and receives the certificate revocation response in real-time from the OCSP responder.
One of the following status is returned for the certificate once the validations are performed and the Common Criteria mode is ON.
-
Good --The good state indicates a positive response to the status inquiry. At a minimum, this positive response indicates that the certificate is not revoked, but does not necessarily mean that the certificate was ever issued or that the time at which the response was produced is within the certificate's validity interval. Response extensions may be used to convey additional information on assertions made by the responder regarding the status of the certificate such as positive statement about issuance, validity, etc.
-
Revoked --The revoked state indicates that the certificate has been revoked (either permanantly or temporarily (on hold)).
-
Unknown -- The unknown state indicates that the OCSP responder doesn't know about the certificate being requested.
Note
In Common Criteria mode, the connection fails in both Revoked as well as Unknown case whereas the connection would succeed in Unknown response case when Common Criteria is not enabled.